LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-15-2003, 10:46 AM   #1
rbrasil
LQ Newbie
 
Registered: Dec 2003
Distribution: conectiva, debian
Posts: 5

Rep: Reputation: 0
Do I need an firewall if I set my tcpwrappers like this?


I set my tcpwrappers like this, is it secure?
Do I need a firewall?

/etc/hosts.allow:

ALL: 127.

/etc/hosts.deny:

ALL: ALL
 
Old 12-15-2003, 11:27 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
A firewall is usually not considered optional; you need it regardless of how you have your host configured. A firewall is a hedge-bet hoping that you have everything configured right, but just in case... Also, some times software (or OS) updates on your system will have unintended consequences and leave you open to things that you weren't open to before. That's what the firewall is for.

In theory, if you properly configure everything on your host and secure all your network applications, you wouldn't need a firewall (indead the SDSC does not use firewalls at all), but this assumes you're an elite security professional who never makes a mistake. You may be a professional, but you're still human, right? Mistakes are made every day...
 
Old 12-15-2003, 01:33 PM   #3
core
Member
 
Registered: May 2003
Location: Berlin
Distribution: Slackware 9.1 Kernel: 2.6.4
Posts: 60

Rep: Reputation: 15
Not every service runs through inetd/tcpwrappers (say - tcpd).
For example the X Server listens on port 6000/tcp by default, changes to your /etc/hosts.* files doesn't matter for this, as the X Server is not run with inetd/tcpd.
A Packetfilter is the safe bet.
 
Old 12-16-2003, 11:14 PM   #4
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
You still need a firewall.
 
Old 12-17-2003, 10:21 AM   #5
rbrasil
LQ Newbie
 
Registered: Dec 2003
Distribution: conectiva, debian
Posts: 5

Original Poster
Rep: Reputation: 0
Now I'm sure, I really need a firewall, then I have some others questions.

First, I use Debian GNU/Linux, Kernel 2.2.xx, but I don't know if my kernel is configured to firewall (I looked at /proc/net, but there was nothing about ipfw_chains). Do I need to recompile/reinstall my kernel?
There are another way to do this?

Second, All examples of firewall that I saw, have one machine (firewall) between the internal network and the internet with two network cards. I use one machine with only one network card linked to the Internet. Do I need to use NAT or maskarade do make my firewall to work? If so, how to do it with my configuration?

Thank's a lot
 
Old 12-17-2003, 10:59 AM   #6
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
If possible, you should upgrade to at least kernel 2.4.x because I believe the 2.2.x kernels only used ipchains. I don't remember enough about ipchains to help you with issues on that subject.

As for your second question, no. You do not need NAT if you only have one machine (MASQUERADE is just a special form of NAT so you don't need that either).
 
Old 12-18-2003, 09:27 AM   #7
rbrasil
LQ Newbie
 
Registered: Dec 2003
Distribution: conectiva, debian
Posts: 5

Original Poster
Rep: Reputation: 0
Do I need to recompile/reinstall my kernel?

Are there an way of set firewalling with out need to recompile/reinstall the kernel, if it isn't configured to?
My kernel is 2.2.20 and I would like to try ipchains.
But if it is not possible to configure with out recompile/reinstall, I will use the latest kernel, of course.
 
Old 12-18-2003, 11:19 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I use Debian GNU/Linux, Kernel 2.2.xx, but I don't know if my kernel is configured to firewall (I looked at /proc/net, but there was nothing about ipfw_chains). Do I need to recompile/reinstall my kernel?
My kernel is 2.2.20 and I would like to try ipchains.
Check out the modules that came with the kernel.
If you haven't any *then* you need to recompile.
If you don't need the stateful filtering caps or other stuff, then Ipchains is a good start, at least you'll have a firewall...


Are there an way of set firewalling with out need to recompile/reinstall the kernel, if it isn't configured to?
What's called the "firewall" is actually part kernel framework, part user tools. It's not an add-on like some app. The kernel part takes care of the filtering, the userland tools, ipchains in 2.2.x and iptables in 2.4.x, are necessary because you have to "feed" the rules to the kernel. You don't want the kernel to read stuff itself and fsck up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dovecot and tcpwrappers in FC3? jonsson Fedora 1 08-09-2010 04:53 AM
3 nics set up firewall box props666999 Slackware 2 09-11-2005 02:05 PM
Firewall set-up with vsftpd aquatux SUSE / openSUSE 2 07-29-2005 03:36 PM
How to set up the firewall properly with SuSE 9.1? jnassiri Linux - Security 2 08-03-2004 12:51 AM
looking to set up a firewall Penguin Dropout Slackware 8 12-21-2002 11:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration